CVE-2026-33362

Description

In Meari IoT SDK builds embedded in CloudEdge 5.5.0 (build 220), Arenti 1.8.1 (build 220), and white-label Android apps <= 1.8.x (latest observed), multiple security-critical secrets are hardcoded and shared, including API signing material, password-transport keying, and service access keys.

CVSS Details

CVSS Score

8.6

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Configurations (Affected Products)

No configuration data available.

CloudEdge 5.5.0 (build 220)

Arenti 1.8.1 (build 220)

White-label Android apps <= 1.8.x

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# Proof of Concept: Extracting and using hardcoded secrets
import re

# Simulate extracting key from APK strings or smali
# This is a conceptual demonstration of how an attacker would identify the key.
def find_secret_key(apk_file_path):
    print(f"[*] Analyzing {apk_file_path}...")
    # In a real scenario, one would use 'strings' or 'jadx' to decompile
    # Here we simulate finding a hardcoded key pattern
    # Example pattern found in Meari SDK apps
    mock_apk_content = "... api_sign_key=SECRET_MEARI_KEY_12345 ..."
    match = re.search(r'api_sign_key=(.*?)\s', mock_apk_content)
    if match:
        return match.group(1)
    return None

def exploit_api_with_key(secret_key):
    print(f"[+] Found Hardcoded Key: {secret_key}")
    print(f"[*] Attempting to access API using shared key...")
    # Attacker constructs a valid request using the stolen key
    headers = {
        "Authorization": f"Bearer {secret_key}",
        "User-Agent": "Meari-SDK-Attacker"
    }
    # In a real attack, this would send a request to the IoT device management API
    print(f"[!] Successfully authenticated to API. Can now list devices or decrypt streams.")

if __name__ == "__main__":
    target_app = "CloudEdge-v5.5.0.apk"
    key = find_secret_key(target_app)
    if key:
        exploit_api_with_key(key)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-33362
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-33362
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-33362/
[4] VulDB https://vuldb.com/cve/CVE-2026-33362
[5] https://github.com/xn0tsa/nobody-puts-baby-in-a-corner
[6] https://www.runzero.com/advisories/meari-sdk-hardcoded-cryptographic-keys-cve-2026-33362/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-33362", "sourceIdentifier": "44488dab-36db-4358-99f9-bc116477f914", "published": "2026-05-11T17:16:31.083", "lastModified": "2026-05-11T17:16:31.083", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "In Meari IoT SDK builds embedded in CloudEdge 5.5.0 (build 220), Arenti 1.8.1 (build 220), and white-label Android apps <= 1.8.x (latest observed), multiple security-critical secrets are hardcoded and shared, including API signing material, password-transport keying, and service access keys."}], "metrics": {"cvssMetricV31": [{"source": "44488dab-36db-4358-99f9-bc116477f914", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 4.0}]}, "weaknesses": [{"source": "44488dab-36db-4358-99f9-bc116477f914", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-321"}]}], "references": [{"url": "https://github.com/xn0tsa/nobody-puts-baby-in-a-corner", "source": "44488dab-36db-4358-99f9-bc116477f914"}, {"url": "https://www.runzero.com/advisories/meari-sdk-hardcoded-cryptographic-keys-cve-2026-33362/", "source": "44488dab-36db-4358-99f9-bc116477f914"}]}}